HIPAA Software for Home Health Agencies

Home health compliance happens in the car, the kitchen, and the driveway

An office-based clinic controls its environment. A home health agency does not. Field clinicians work in patients’ homes, document in cars between visits, handle paper OASIS drafts, and sometimes lose a phone between the third and fourth visit of the day. The compliance program has to hold up in those conditions, not only during a quarterly office review.

That changes what matters in HIPAA software. Policy libraries and attestations still count. But the features that actually prevent breaches are the ones that work on a phone, offline, in ten seconds.

Field-worker mobile devices are the exposure surface

Most home health breaches trace back to a lost laptop, stolen phone, or unencrypted tablet. 45 CFR 164.310 requires physical safeguards, including device and media controls, and 164.312 requires technical safeguards like encryption and access control. Your software should enforce three things at minimum:

• Device inventory per workforce member. Every device that touches PHI is listed, owned, and confirmed periodically.
• Encryption attestation. A recurring task that confirms each device has disk encryption enabled. Not a one-time checkbox.
• Lost-device incident flow. A three-minute path from “I cannot find my phone” to a logged incident with a named responder, because the breach notification clock starts at discovery.

Mobile device management is a separate vendor relationship. The MDM vendor needs a BAA. So does the cloud backup provider. So does the EHR. The BAA register should list them all with expiration dates.

OASIS handoffs are compliance events

OASIS documentation moves from the field clinician to quality assurance to billing. Each handoff is a PHI event. The risk is not the clinical content; it is the mechanism. Paper drafts in glove compartments, photos of forms texted to the office, and unencrypted email attachments all create findings.

A working handoff model:

• OASIS drafts live in a BAA-covered system from start to finish.
• Paper, if used at all, has a documented destruction step that is logged as a completed task.
• QA review and billing handoff are recorded steps with timestamps and named owners.

This is less about software features and more about whether the compliance program can prove, after the fact, who touched what and when.

Incident reporting has to work from the field

A clinician who discovers a potential breach at 2pm between visits should not have to wait until 5pm at the office to report it. The software should let them log the incident from the phone, attach a photo if relevant, and hand it off to the compliance lead. From there the standard incident workflow runs: initial assessment, risk analysis per 45 CFR 164.402, notification decisions, and documentation.

The breach notification clock is statutory. Field-friendly reporting is what keeps you on the right side of it.

What to look for in the software

• Mobile device inventory with periodic encryption attestation.
• BAA register covering EHR, MDM, backup, messaging, and any vendor processing ePHI.
• Recurring training and acceptable-use attestations, signed from the phone.
• Incident capture from field devices with a named responder.
• Policy library including bring-your-own-device, acceptable use, and workstation-in-home policies.
• Per-clinic flat pricing, because home health headcount is high and seat-based pricing penalizes growth.

The defensible home health model

Five artifacts, kept current: workforce roster with device assignments, vendor and BAA register with expirations, field-ready policy library with attestations, incident log, and recurring-task ledger covering encryption checks and access reviews. PHIGuard covers all five under per-clinic pricing with BAA coverage at every tier.

For the rules behind the controls, see our HIPAA basics. For a program self-check, request the self-assessment. Price the move on the pricing page. Agencies that also operate a central office can compare the multi-location model since the location-scoped role pattern carries over.